My favorites | Sign in
Project Home Downloads Wiki Issues Source
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 873: The dashboard reveals the user’s name to everyone
6 people starred this issue and may be notified of changes. Back to list
Status:  WontFix
Owner:  ----
Closed:  Sep 2012


Sign in to add a comment
 
Reported by san...@nvidia.com, Mar 8, 2011
Affected Version: All versions with a URL dashboard access. Reproducible on 2.1.6.1 as well

What steps will reproduce the problem?
1. Visit any Gerrit web site. I will use https://review.source.android.com/ for the purpose of this  bug
2 . Try to visit the dashboard of another user. It does not matter whether the user is logged in or not. EG: https://review.source.android.com/#dashboard,1 
3. The number at the end can be replaced with any other number, and kept on incremented till I get the list of all the users and their names. 

What is the expected output? What do you see instead?
Unless the user is an administrator, he should not be able to see others’ dashboard. The name alone can potentially leak information. 

This bug prevents the use of Gerrit in situations where users in different groups (possibly from different companies) should not know about each other.
Mar 8, 2011
Project Member #1 bklarson@gmail.com
Personally I view this as a feature, not a bug.  It is very handy for me to see what other people on my team have been working on or to quickly find a patch somebody else just merged, etc.  If we do change this, I'd request for it to be a setting and not changed across the board.
Mar 17, 2011
#2 FrankBou...@gmail.com
It is an issue when you have a server like partner.source.android.com that is shared by competing companies.  I agree this isn't an issue for a server on an intranet, or on a public server that is used purely for open source development.

Sep 18, 2012
Project Member #3 choro...@wikimedia.org
Marking this as WontFix as it's not really a problem anymore. With 2.5, dashboards have changed so
A) /dashboard/<uid> doesn't expose a user anymore
B) /dashboard/ now allows custom dashboard for constructing these sorts of pages with sections & such
Status: WontFix
Sign in to add a comment

Powered by Google Project Hosting